3 Very Bad Things
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently started a catalog of "bad practices" (https://www.cisa.gov/BadPractices), initially listing three practices that are considered "exceptionally risky" in terms of protecting your business from malicious actors and breaches. The catalog will continually be enhanced, and new items will be added to the same web page. Below is a quick highlight of the first three bad practices:
Using a single factor (e.g., password), especially for remote or administrative systems is bad and dangerous. Doing so significantly elevates the risk to your data. Always enable and enforce the use of multi-factor authentication (MFA) on any system that supports it. If a system doesn't offer MFA, particularly a system offered as a Software-as-a-Service (SaaS) or other cloud service, you should revisit the risk assessment for that tool or system and strongly consider whether the safety of your business data is worth the risk.
Default Passwords and Credentials
Using default, fixed, or known passwords for any system is simply foolish, and especially egregious - even negligent - for any system accessible from the internet. When bringing a new system online, or establishing a new account for an online system, the first thing you should do is change or set a new password. Additionally, your password or passphrase should be lengthy - at least 14 characters - and should never be the same as a password you use for any other system. Use a password manager to make this process as simple as can be.
Unsupported or End-of-Life (EOL) Software
All software reaches the end of its life sometime. This doesn't mean the application ceases to exist, but rather the vendor has stopped providing support, which translated into the information security world, means that any vulnerability that may be subsequently discovered is not fixed. Usually EOL for software leads to an upgrade or replacement. However, if you're still using software or applications that are past their end-of-life date, that also means you likely haven't been keeping up with patches, version upgrades, and so on. This leaves you wide open for malicious actors to take advantage of any of those vulnerabilities to access your systems and network. It's like that little hole in your attic that if you don't fix it, mice or squirrels will get in and have a grand party! Except that this party is all about stealing your data and getting some money for it.
A quick note about the CISA Bad Practices guide: if you read through the page, it's obvious that CISA primarily is directing these tips to what is considered Critical Infrastructure and National Critical Functions; that's their job. But while our local mom & pop hardware store, corner drug store, or neighborhood family care physician likely hasn't made the list of Critical Infrastructure organizations, the tips and Bad Practices are relevant to everyone, from the solo practitioner chiropractor down the street, to the CPA that works from her home, to massive organizations like Boeing and Google. Use these tips to engage with your IT provider and ensure they are appropriately addressed and mitigated for your business.
If you feel you need some help in assessing the risk or potential risk of your information systems and data, please reach out and touch base with us. We are here to help you understand and navigate the weird little "gotchas" of keeping your business data secure, and we are more than happy work with your IT or Managed Service provider to make it even easier.
Castle Labs: Security!